Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Svchost Process Access

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Tim BurrellCreated Thu Jan 02Updated Mon Jan 30166e9c50-8cd9-44af-815d-d1f0c0e90ddewindows
Log Source
WindowsProcess Access
ProductWindows← raw: windows
CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetImage|endswith: ':\Windows\System32\svchost.exe'
        GrantedAccess: '0x1F3FFF'
        CallTrace|contains: 'UNKNOWN'
    filter_main_msbuild:
        SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'
        SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
        # Just to make sure it's "really" .NET :)
        CallTrace|contains:
            - 'Microsoft.Build.ni.dll'
            - 'System.ni.dll'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
166e9c50-8cd9-44af-815d-d1f0c0e90dde
Status
test
Level
high
Type
Detection
Created
Thu Jan 02
Modified
Mon Jan 30
Author
Tim Burrell
Path
rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml
Raw Tags
attack.defense-evasionattack.t1562.002
View on GitHub